Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
595 Views 3 Replies Latest reply: Oct 11, 2013 9:43 AM by Kary Tankink RSS
romardy Apprentice 116 posts since
Sep 26, 2012
Currently Being Moderated

Oct 10, 2013 2:08 AM

McAfee HIPS

HIPS 8.0 blocks mspaint when IPS Options is enable. No visibility yet what other windows files it blocks but I disable the policy as temporary solution

 

Is there an default IPS rules that are blocking mspaint?

 

Thanks!

  • Kary Tankink McAfee Employee 659 posts since
    Mar 3, 2010
    Currently Being Moderated
    1. Oct 10, 2013 9:51 AM (in response to romardy)
    Re: McAfee HIPS

    Is there an default IPS rules that are blocking mspaint?

    HIPS 8.0 default configuration does not block anything, as Host IPS is off.  If you enable it, HIGH severity signatures are PREVENTED, which none block mspaint.exe.

     

    You might have enabled Signature 6011 (disabled by default), which enables application control in the product.  Check the HIPS Activity Log in the ClientUI for signature triggers for Mspaint.exe.

     

     

    KB67056 - Third-party application stops working or isimpaired after McAfee Host Intrusion Prevention is installed or content isupdated

    https://kc.mcafee.com/corporate/index?page=content&id=KB67056

  • Kary Tankink McAfee Employee 659 posts since
    Mar 3, 2010
    Currently Being Moderated
    3. Oct 11, 2013 9:43 AM (in response to romardy)
    Re: McAfee HIPS

    FYI, in case you weren't aware of how the product functions normally.

     

    The design of the HIPS product is to tune IPS signatures for your environment.  Signatures should be tested in a test/lab environment first, tuned, then applied to production.  IPS events need to be continually monitored and the policy tuned (e.g., environment changes), as needed when new issues occur.  Signature 6010 and 6011 are specific to the Application Blocking functionality with the HIPS product.

     

    KB71794 - How to configure application blocking/hooking functionality with Host Intrusion Prevention 8.0

    https://kc.mcafee.com/corporate/index?page=content&id=KB71794

     

    KB73399 - FAQs for Host Intrusion Prevention 8.0

    https://kc.mcafee.com/corporate/index?page=content&id=KB73399

     

     

     

     

    Top Issues

    Client IPS/FAQ - IPS Events

    IPS signature events are one of the top call generators for the Host Intrusion Prevention (Host IPS) product. Normally, these inquires are the result of IPS Signature Event triggers. In general, Host IPS offers IPS and firewall protection for endpoint systems as part of a layered protection strategy. This layered protection strategy should include Network gateway firewall/intrusion systems or filtering, endpoint anti-virus, and endpoint anti-malware applications, in addition to Host IPS. 

    Host IPS signature content provides security to protect against known system vulnerabilities and unknown (zero-day) vulnerabilities. Zero-day is defined as the gap between unpatched systems and subsequently applying released security updates for confirmed vulnerabilities. Host IPS content contains generic buffer overflow and other generic signature mechanisms to protect systems during this zero-day gap period. However, McAfee recommends that you apply all operating system and application-specific security updates as soon as practical within your environment to reduce frequent or repeated IPS signature detections. 

    McAfee advises that you follow a general methodology for reviewing operating system and application-specific security updates, and also patch systems and applications on a monthly or regular basis. McAfee also advises that you review monthly Host IPS signature updates for correlation to specific vendor security updates that are released. Host IPS signatures mapping directly to vendor-available security updates can be safely disabled on updated systems. McAfee recommends that you review enabled signature content and system patching with available security updates monthly to reduce the likelihood of excessive false positives on already updated systems.

    Use the following general methodology when assessing IPS signature events:

    1. Identify the signature number that is being triggered.
    2. Review the IPS Signature number description information from the IPS Rules policy in ePolicy Orchestrator (ePO).
    3. Review the References CVE description link(s), if any are included in the description information for that signature.
    4. Identify whether any Microsoft Technet Security Bulletins are linked for the applicable vulnerability, and identify whether any Microsoft security updates have been released that resolve the vulnerability.
    5. Verify whether systems reporting the IPS event have any applicable Microsoft Security Updates applied (as noted above):

      1. If so, the applicable IPS Signature may be disabled on the systems having the associated Microsoft Security Updates applied.
      2. If not, McAfee recommends that you apply the applicable Microsoft Security Updates to the affected systems at your earliest convenience.
    6. If no CVE description links are noted for the triggering IPS signature, review all advanced details for the received IPS event.
    7. Identify whether the event triggers correlate to normal business usage or process.
    8. Identify whether the systems experiencing the event have all of the latest Microsoft Security Updates applied.
    9. Identify whether the IPS event is specific for a third-party process, such as Adobe or other non-Microsoft application, process, or other tool. If so, review all applicable security updates from the vendor and ensure they are applied on the systems.
    10. If the signature is still triggering after an applicable vendor security update has been applied, consider the event a false positive and either disable the signature to the updated systems, or create an IPS exception for the updated systems to stop all further signature detections.
    11. If there is no applicable vendor security update available, determine whether the affected systems have current anti-virus and anti-malware definitions for McAfee VirusScan or other installed endpoint protection application. Perform a full scan on the affected systems.
    12. Determine whether the affected systems are protected by other perimeter security measures, such as Network Intrusion Detection.
    13. Enable verbose debug logging by enabling Log security violations for Host IPS so advanced information can be collected in the HipShield.log. See article KB54473 for relevant information regarding IPS security violations in the HipShield.log.
    14. Contact McAfee support for further analysis.

     

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points